1dcmsign(1) OFFIS DCMTK dcmsign(1)
2
6 dcmsign - Sign and Verify DICOM Files
7
9 dcmsign [options] dcmfile-in [dcmfile-out]
10
12 The dcmsign utility reads a DICOM file (dcmfile-in), performs a digital
13 signature operation and, if any modification has taken place, writes
14 the DICOM object to an output file (dcmfile-out).
15 Five digital signature operations are supported:
17 · verification of all signatures in the DICOM file
19 · creation of a new digital signature located in the main dataset,
20 · creation of a new digital signature in an item of a sequence embedded
21 within the dataset,
22 · removal of a single digital signature from the DICOM file, and
23 · removal of all digital signatures from the DICOM file.
25 dcmfile-in DICOM input filename to be processed
26 dcmfile-out DICOM output filename
29 general options
30 -h --help
31 print this help text and exit
32 --version
34 print version information and exit
35 --arguments
37 print expanded command line arguments
38 -q --quiet
40 quiet mode, print no warnings and errors
41 -v --verbose
43 verbose mode, print processing details
44 -d --debug
46 debug mode, print debug information
47 -ll --log-level [l]evel: string constant
49 (fatal, error, warn, info, debug, trace)
50 use level l for the logger
51 -lc --log-config [f]ilename: string
53 use config file f for the logger
54 input options
55 input file format:
56 +f --read-file
58 read file format or data set (default)
59 +fo --read-file-only
61 read file format only
62 -f --read-dataset
64 read data set without file meta information
65 input transfer syntax:
67 -t= --read-xfer-auto
69 use TS recognition (default)
70 -td --read-xfer-detect
72 ignore TS specified in the file meta header
73 -te --read-xfer-little
75 read with explicit VR little endian TS
76 -tb --read-xfer-big
78 read with explicit VR big endian TS
79 -ti --read-xfer-implicit
81 read with implicit VR little endian TS
82 signature commands
83 --verify
84 verify all signatures (default)
85 +s --sign [p]rivate key file, [c]ertificate file: string
87 create signature in main object
88 +si --sign-item [k]eyfile, [c]ertfile, [i]tem location: string
90 create signature in sequence item
91 +r --remove [s]ignature UID: string
93 remove signature
94 +ra --remove-all
96 remove all signatures from data set
97 signature creation options (only with --sign or --sign-item):
98 private key password:
99 +ps --std-passwd
101 prompt user to type password on stdin (default)
102 +pw --use-passwd [p]assword: string
104 use specified password
105 -pw --null-passwd
107 use empty string as password
108 key and certificate file format:
110 -pem --pem-keys
112 read keys/certificates as PEM file (default)
113 -der --der-keys
115 read keys/certificates as DER file
116 digital signature profile:
118 -pf --profile-none
120 don't enforce any signature profile (default)
121 +pb --profile-base
123 enforce base RSA signature profile
124 +pc --profile-creator
126 enforce creator RSA signature profile
127 +pa --profile-auth
129 enforce authorization signature profile
130 MAC algorithm:
132 +mr --mac-ripemd160
134 use RIPEMD 160 (default)
135 +ms --mac-sha1
137 use SHA-1
138 +mm --mac-md5
140 use MD 5
141 tag selection:
143 -t --tag
145 [t]ag: "gggg,eeee" or dictionary name
146 sign only specified tag
147 (this option can be specified multiple times)
148 -tf --tag-file [f]ilename: string
150 read list of tags from text file
151 signature format:
153 -fn --format-new
155 use correct DICOM signature format (default)
156 -fo --format-old
158 use old (pre-3.5.4) DCMTK signature format, non-conformant
159 if signature includes compressed pixel data
160 output options
161 output transfer syntax:
162 +t= --write-xfer-same
164 write with same TS as input (default)
165 +te --write-xfer-little
167 write with explicit VR little endian TS
168 +tb --write-xfer-big
170 write with explicit VR big endian TS
171 +ti --write-xfer-implicit
173 write with implicit VR little endian TS
174 length encoding in sequences and items:
176 +e --length-explicit
178 write with explicit lengths (default)
179 -e --length-undefined
181 write with undefined lengths
182 other output options:
184 +d --dump [f]ilename: string
186 dump byte stream fed into the MAC codec to file
187 (only with --sign or --sign-item)
189 Files and Parameters
190 The dcmsign utility reads and writes a number of files and file formats
191 which are described in this section.
192 Public Key Certificates are expected in X.509v3 format, either with PEM
193 or DER encoding. The dcmsign utility currently supports RSA and DSA
194 public keys, although only RSA keys are defines in the Security
195 Profiles of the DICOM standard.
196 Private Keys are expected in PEM or DER encoding. PEM is recommended
197 (and default) because this allows to keep private keys in encrypted
198 form. Command line options control the behaviour of dcmsign when an
199 encrypted PEM key is opened (see above). In general it is not
200 recommended to specify the encryption password in the command line
201 because the command line may be visible to other processes in the
202 system, e.g. 'ps -ef'.
203 The list of data elements to sign can either be read from a file or
204 specified on the command line or both (in this case the keys are
205 combined).
206 On the command line, attribute keys are specified as
207 --tag "gggg,eeee" where gggg and eeee are the hexadecimal group
208 and element numbers
209 --tag "Name" where 'Name' is a symbolic attribute name from
210 the DICOM dictionary (see below).
211 When attribute tags are read from file with the --tag-file option, a
212 plain text file of max. 64 kbyte is expected. Tags within the file are
213 either symbolic names from the data dictionary or have the format
214 (gggg,eeee) (with braces). Tags are separated by one or more whitespace
215 characters.
216 The --sign-item operation requires a location string that describes in
217 which sequence item a signature is to be created. The location string
218 has the following format:
219 SequenceName[index].SequenceName[index].SequenceName[index](...)
220 where SequenceName is either a symbolic attribute name from the data
221 dictionary or a numeric tag in the format (gggg,eeee) and index is an
222 unsigned decimal integer for the item number, starting with zero for
223 the first item in a sequence. As an example, the following location
224 string
225 ReferencedSeriesSequence[0].ReferencedImageSequence[1]
226 would cause a digital signature to be created in the second item of the
227 ReferencedImageSequence (0008,1140) which is located in the first item
228 of the ReferencedSeriesSequence (0008,1115) which is located in the
229 main DICOM dataset.
231 The level of logging output of the various command line tools and
232 underlying libraries can be specified by the user. By default, only
233 errors and warnings are written to the standard error stream. Using
234 option --verbose also informational messages like processing details
235 are reported. Option --debug can be used to get more details on the
236 internal activity, e.g. for debugging purposes. Other logging levels
237 can be selected using option --log-level. In --quiet mode only fatal
238 errors are reported. In such very severe error events, the application
239 will usually terminate. For more details on the different logging
240 levels, see documentation of module 'oflog'.
241 In case the logging output should be written to file (optionally with
242 logfile rotation), to syslog (Unix) or the event log (Windows) option
243 --log-config can be used. This configuration file also allows for
244 directing only certain messages to a particular output stream and for
245 filtering certain messages based on the module or application where
246 they are generated. An example configuration file is provided in
247 <etcdir>/logger.cfg).
249 All command line tools use the following notation for parameters:
250 square brackets enclose optional values (0-1), three trailing dots
251 indicate that multiple values are allowed (1-n), a combination of both
252 means 0 to n values.
253 Command line options are distinguished from parameters by a leading '+'
254 or '-' sign, respectively. Usually, order and position of command line
255 options are arbitrary (i.e. they can appear anywhere). However, if
256 options are mutually exclusive the rightmost appearance is used. This
257 behaviour conforms to the standard evaluation rules of common Unix
258 shells.
259 In addition, one or more command files can be specified using an '@'
260 sign as a prefix to the filename (e.g. @command.txt). Such a command
261 argument is replaced by the content of the corresponding text file
262 (multiple whitespaces are treated as a single separator unless they
263 appear between two quotation marks) prior to any further evaluation.
264 Please note that a command file cannot contain another command file.
265 This simple but effective approach allows to summarize common
266 combinations of options/parameters and avoids longish and confusing
267 command lines (an example is provided in file <datadir>/dumppat.txt).
269 The dcmsign utility will attempt to load DICOM data dictionaries
270 specified in the DCMDICTPATH environment variable. By default, i.e. if
271 the DCMDICTPATH environment variable is not set, the file
272 <datadir>/dicom.dic will be loaded unless the dictionary is built into
273 the application (default for Windows).
274 The default behaviour should be preferred and the DCMDICTPATH
275 environment variable only used when alternative data dictionaries are
276 required. The DCMDICTPATH environment variable has the same format as
277 the Unix shell PATH variable in that a colon (':') separates entries.
278 On Windows systems, a semicolon (';') is used as a separator. The data
279 dictionary code will attempt to load each file specified in the
280 DCMDICTPATH environment variable. It is an error if no data dictionary
281 can be loaded.
283 Copyright (C) 2000-2010 by OFFIS e.V., Escherweg 2, 26121 Oldenburg,
284 Germany.
285Version 3.6.0 6 Jan 2011 dcmsign(1)